Skip to content

Commit 007d05a

Browse files
srv-rr-gh-researchbtsrv-rr-gh-researchbt
authored
Branch was auto-updated.
2 parents d272cee + 4ab99a6 commit 007d05a

File tree

2 files changed

+5
-2
lines changed

2 files changed

+5
-2
lines changed

detections/web/citrix_adc_exploitation_cve_2023_3519.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: Citrix ADC Exploitation CVE-2023-3519
22
id: 76ac2dcb-333c-4a77-8ae9-2720cfae47a8
3-
version: 1
3+
version: 2
44
date: '2023-07-21'
55
author: Michael Haag, Splunk
66
status: production
@@ -14,7 +14,7 @@ description: This analytic is designed to assist in hunting for potential exploi
1414

1515
Please be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available.
1616
search: '| tstats count min(_time) as firstTime max(_time)
17-
as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout") Web.http_method=POST
17+
as lastTime from datamodel=Web where Web.url IN ("*/saml/login","/cgi/samlauth","*/saml/activelogin","/cgi/samlart?samlart=*","*/cgi/logout","/gwtest/formssso?event=start&target=*","/netscaler/ns_gui/vpn/*") Web.http_method=POST
1818
by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
1919
| `drop_dm_object_name("Web")`
2020
| `security_content_ctime(firstTime)`
@@ -26,6 +26,8 @@ known_false_positives: False positives may be present based on organization use
2626
references:
2727
- https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/
2828
- https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
29+
- https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
30+
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
2931
tags:
3032
analytic_story:
3133
- Citrix Netscaler ADC CVE-2023-3519

detections/web/confluence_data_center_and_server_privilege_escalation.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ known_false_positives: False positives may be present with legitimate applicatio
2020
references:
2121
- https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
2222
- https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/
23+
- https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis
2324
tags:
2425
analytic_story:
2526
- CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

0 commit comments

Comments
 (0)